Unsanitary Firefox gets fix for critical HTML-handling hijack flaw

Versions 56 through 58 need patching, pronto

Mozilla has patched a nasty security bug in Firefox, affecting versions 56, 57 and 58, and their point updates.

The CVSS-8.8-rated flaw means that if an attacker can get a user to open a malicious document or link, remote code execution becomes a possibility – allowing spyware, ransomware and other nasties to be installed and run.

An advisory from Cisco explains: “The vulnerability is due to insufficient sanitisation of HTML fragments in chrome-privileged documents by the affected software … A successful exploit could allow the attacker to execute arbitrary code with the privileges of the user. If the user has elevated privileges, the attacker could compromise the system completely.”

That's not chrome as in Google Chrome, by the way, that's chrome as in a confusingly named component of the Firefox engine.

Affected versions are: 56 (.0, .0.1, .0.2), 57 (.0, .0.1, .0.2, .0.3, .0.4), and 58 (.0). The bug is not present in Firefox for Android or Firefox 52 ESR. The fix is in Firefox 58.0.1, which you can download here.

Maglione noted that the problem arises because it's impossible to block inline scripts: “The risk of XSS in chrome documents is much higher than it is in web content. Unfortunately, we currently rely on so much inline JS in our static XUL documents that that's not really feasible in the short term.”

The knock-on of that is that an issue has been filed for the future Firefox 60 channel, with developer J Ryan Stinnett explaining: “Once DevTools upgrades to React 16, it should be possible for the Browser component to move away from `innerHTML`. It's currently used only because React before 16 doesn't allow non-standard attributes.”

Such changes would inoculate Firefox 60 against a similar bug in future. ®